SP/app looks up user's invitation and determines if the user is an RAO.

If the user is an RAO, then the SAML authenticationContextClassRef in the received assertion is checked.

If the RAO user did not authenticate with MFA, they are sent back to the IdP with only 'https://refeds.org/profile/mfa' set as the allowed/requested SAML authenticationContextClass (since the user was identified as an RAO). Otherwise, the user is a DRAO and they are logged in.